What is AWS WAF?
AWS WAF (Web Application Firewall) is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
Key Concepts
1. Web ACL (Access Control List)
- The container for your rules. You attach a Web ACL to a resource (CloudFront, ALB, API Gateway).
2. Rules & Conditions
- IP Set: Allow/Block specific IP addresses.
- Geo Match: Block traffic from specific countries.
- SQL Injection & XSS: Block requests containing malicious SQL code or cross-site scripting scripts.
- Rate-based: Block IP addresses that send too many requests in a 5-minute period (e.g., > 2000 requests).
3. Managed Rules
- Pre-configured sets of rules managed by AWS or AWS Marketplace sellers (e.g., "AWS Managed Rules for WordPress", "OWASP Top 10").
Exam Tips
[!IMPORTANT] Layer 7 Protection: WAF operates at Layer 7 (Application Layer). It inspects the content of the request (Body, Headers, Cookies).
[!NOTE] WAF vs Network ACL:
- WAF: Inspects "Is this request malicious SQL?" (Layer 7).
- Network ACL: Filters "Is this IP allowed to talk to my subnet?" (Layer 4).
[!WARNING] WAF cannot be attached directly to an EC2 instance. It must be attached to an Application Load Balancer, CloudFront, or API Gateway.
Common Use Cases
- Blocking SQL Injection: Preventing attackers from stealing database data via web forms.
- Geo-Blocking: Preventing users from embargoed countries from accessing your site.
- Rate Limiting: Stopping a single user from flooding your login page (Brute force protection).